[Backport] Downloads : Fixed an issue of opening incorrect download file

When one download overwrites another completed download, calling download.open in the old download causes the new download to open, which could be dangerous and undesirable. In this CL, we are trying to avoid this by blocking the opening of the old download.

TBR=shaktisahu@chromium.org

(cherry picked from commit a8d6ae61d266d8bc44c3dd2d08bda32db701e359)

Bug: 793620
Reviewed-on: https://chromium-review.googlesource.com/826477
Reviewed-by: David Trainor <dtrainor@chromium.org>
Reviewed-by: Xing Liu <xingliu@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/849195
Reviewed-by: Shakti Sahu <shaktisahu@chromium.org>
(CVE-2018-6033)

Change-Id: Ia7d2ea6f904cbef2df734479ad2731bea3b8450b
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

7 files changed, 27 insertions, 1 deletions

diff --git a/chromium/content/browser/download/download_item_impl.cc b/chromium/content/browser/download/download_item_impl.cc
index a5d7db8cef5..5e37c80bbfd 100644
--- a/chromium/content/browser/download/download_item_impl.cc
+++ b/chromium/content/browser/download/download_item_impl.cc
@@ -849,7 +849,8 @@ bool DownloadItemImpl::CanOpenDownload() {
   // they aren't owned by the download system.
   const bool is_complete = GetState() == DownloadItem::COMPLETE;
   return (!IsDone() || is_complete) && !IsTemporary() &&
-         !file_externally_removed_;
+         !file_externally_removed_ &&
+         delegate_->IsMostRecentDownloadItemAtFilePath(this);
 }
 
 bool DownloadItemImpl::ShouldOpenFileBasedOnExtension() {
diff --git a/chromium/content/browser/download/download_item_impl_delegate.cc b/chromium/content/browser/download/download_item_impl_delegate.cc
index 2e3367aa07f..07b8efe704b 100644
--- a/chromium/content/browser/download/download_item_impl_delegate.cc
+++ b/chromium/content/browser/download/download_item_impl_delegate.cc
@@ -72,6 +72,11 @@ void DownloadItemImplDelegate::UpdatePersistence(DownloadItemImpl* download) {}
 
 void DownloadItemImplDelegate::OpenDownload(DownloadItemImpl* download) {}
 
+bool DownloadItemImplDelegate::IsMostRecentDownloadItemAtFilePath(
+    DownloadItemImpl* download) {
+  return true;
+}
+
 void DownloadItemImplDelegate::ShowDownloadInShell(DownloadItemImpl* download) {
 }
 
diff --git a/chromium/content/browser/download/download_item_impl_delegate.h b/chromium/content/browser/download/download_item_impl_delegate.h
index fd193ac464d..9e6fe9792a8 100644
--- a/chromium/content/browser/download/download_item_impl_delegate.h
+++ b/chromium/content/browser/download/download_item_impl_delegate.h
@@ -85,6 +85,10 @@ class CONTENT_EXPORT DownloadItemImplDelegate {
   // Opens the file associated with this download.
   virtual void OpenDownload(DownloadItemImpl* download);
 
+  // Returns whether this is the most recent download in the rare event where
+  // multiple downloads are associated with the same file path.
+  virtual bool IsMostRecentDownloadItemAtFilePath(DownloadItemImpl* download);
+
   // Shows the download via the OS shell.
   virtual void ShowDownloadInShell(DownloadItemImpl* download);
 
diff --git a/chromium/content/browser/download/download_manager_impl.cc b/chromium/content/browser/download/download_manager_impl.cc
index d69a4312464..f0a8def87fa 100644
--- a/chromium/content/browser/download/download_manager_impl.cc
+++ b/chromium/content/browser/download/download_manager_impl.cc
@@ -773,6 +773,12 @@ void DownloadManagerImpl::OpenDownload(DownloadItemImpl* download) {
     delegate_->OpenDownload(download);
 }
 
+bool DownloadManagerImpl::IsMostRecentDownloadItemAtFilePath(
+    DownloadItemImpl* download) {
+  return delegate_ ? delegate_->IsMostRecentDownloadItemAtFilePath(download)
+                   : false;
+}
+
 void DownloadManagerImpl::ShowDownloadInShell(DownloadItemImpl* download) {
   if (delegate_)
     delegate_->ShowDownloadInShell(download);
diff --git a/chromium/content/browser/download/download_manager_impl.h b/chromium/content/browser/download/download_manager_impl.h
index 67c48e31692..db754d92f2a 100644
--- a/chromium/content/browser/download/download_manager_impl.h
+++ b/chromium/content/browser/download/download_manager_impl.h
@@ -196,6 +196,7 @@ class CONTENT_EXPORT DownloadManagerImpl : public DownloadManager,
       std::unique_ptr<content::DownloadUrlParameters> params,
       uint32_t id) override;
   void OpenDownload(DownloadItemImpl* download) override;
+  bool IsMostRecentDownloadItemAtFilePath(DownloadItemImpl* download) override;
   void ShowDownloadInShell(DownloadItemImpl* download) override;
   void DownloadRemoved(DownloadItemImpl* download) override;
 
diff --git a/chromium/content/public/browser/download_manager_delegate.cc b/chromium/content/public/browser/download_manager_delegate.cc
index 9351ce22711..8e47e0ced84 100644
--- a/chromium/content/public/browser/download_manager_delegate.cc
+++ b/chromium/content/public/browser/download_manager_delegate.cc
@@ -34,6 +34,11 @@ bool DownloadManagerDelegate::ShouldOpenDownload(
   return true;
 }
 
+bool DownloadManagerDelegate::IsMostRecentDownloadItemAtFilePath(
+    DownloadItem* download) {
+  return true;
+}
+
 bool DownloadManagerDelegate::GenerateFileHash() {
   return false;
 }
diff --git a/chromium/content/public/browser/download_manager_delegate.h b/chromium/content/public/browser/download_manager_delegate.h
index dc33ded9221..ec18ae9c66c 100644
--- a/chromium/content/public/browser/download_manager_delegate.h
+++ b/chromium/content/public/browser/download_manager_delegate.h
@@ -148,6 +148,10 @@ class CONTENT_EXPORT DownloadManagerDelegate {
   // Opens the file associated with this download.
   virtual void OpenDownload(DownloadItem* download) {}
 
+  // Returns whether this is the most recent download in the rare event where
+  // multiple downloads are associated with the same file path.
+  virtual bool IsMostRecentDownloadItemAtFilePath(DownloadItem* download);
+
   // Shows the download via the OS shell.
   virtual void ShowDownloadInShell(DownloadItem* download) {}